A few days ago, an outbreak of the Trojan encryptor WannaCry started. Security experts called it an epidemic since the extent of it is quite huge, with over 100,000 cases of the attack in just one day. Are you safe?
Several large organizations simultaneously reported an infection. Among the organizations were several British hospitals that had to suspend their operations. According to the data released by third parties, WannaCry has infected more than 100,000 computers. Essentially, this is why it has drawn so much attention.
The largest number of attacks occurred in Russia, but Ukraine, India, and Taiwan have suffered damage from WannaCry as well. All in all, we have discovered WannaCry in 74 countries. This was only on the first day of the attack.
Generally, WannaCry comes in two parts. First of all, it's an exploit which purposes are infection and propagation. And the second part is an encryptor that is downloaded to the computer after it has been infected.
This is the main difference between WannaCry and the majority of other encryptors. In order to infect a computer with a common encryptor, a user has to make a mistake, for example, by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an email message. A system can be infected with WannaCry without doing anything.
The creators of WannaCry have taken advantage of the Windows exploit known as "EternalBlue", which exploits a vulnerability that Microsoft patched in security update MS17-010, dated March 14 of the current year. By using the exploit, the malefactors could gain remote access to computers and install the encryptor.
Code for exploiting the "EternalBlue" bug, was released on the internet in March by a hacking group known as the Shadow Brokers. The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not commented on that yet.
If you have Microsft's update installed, and this vulnerability no longer exists, then any attempts to hack the computer remotely will be futile. However, researchers from Kaspersky Lab's GReAT (Global Research & Analysis Team) would like to specifically point out that patching the vulnerability will not deter the encryptor from operating in any manner. Therefore, if you launch it somehow, then the patch will not do you any good.
After hacking a computer successfully, WannaCry attempts to spread itself over the local network onto other computers, in a manner of a computer worm. The encryptor scans other computers for the same vulnerability that can be exploited with the help of EternalBlue, and when WannaCry finds vulnerable machine, it attacks and encrypts files on it.
It turns out that by infecting one computer, WannaCry may infect an entire local area network and encrypt all of the computers on the network. This is why large companies suffered the most from the WannaCry attack - the more computers there are on the network, the larger the damage.
As an encryptor, WannaCry (sometimes called WCrypt or WannaCry Decryptor, even though, logically, it is an encryptor, not a decryptor) does the same as other encryptors; it encrypts files on a computer and demands a ransom for decrypting them.
WannaCry encrypts files of different types (the full list is located here), which include office documents, pictures, videos, archives, and other file formats that may potentially contain critical user data. The extensions of the encrypted files are renamed to .WCRY and the files become completely inaccessible.
After this, the Trojan changes the desktop wallpaper to a picture that contains information about the infection and actions that the user supposedly has to perform in order to recover the files. WannaCry spreads notifications as text files with the same information across folders on the computer in order to ensure that the user definitely receives the message.
Everything comes down to transferring a certain amount in the bitcoin equivalent to the wallet of the evildoers. After that they will (probably) decrypt all of the files. Initially, cybercriminals demanded $300 but then decided to raise the stakes: the latest WannaCry versions feature a ransom amount of $600.
Malefactors also intimidate the user by stating that the ransom amount will be increased in 3 days and, moreover, that it will be impossible to decrypt the files in 7 days. it is not recommended paying the ransom to the evildoers, as nobody can guarantee that they will decrypt your files after receiving the ransom. As a matter of fact, researchers have shown that other cyber extortioners sometimes simply delete user data, which means that no physical possibility to decipher the files remains, even though malefactors would still demand the ransom as if nothing has happened.
Interestingly enough, a researcher going by name Malwaretech managed to suspend infection by registering a domain with a long and absolutely nonsensical name online.
It turned out that some versions of WannaCry addressed that very domain and if they did not receive a positive reply, then they would install the encryptor and start their dirty deed. If there was a reply (i.e., the domain had been registered), then the malware would stop all of its activities.
After finding the reference to this domain in the Trojan code, the researcher registered the domain, thus suspending the attack. For the remainder of the day, the domain was addressed several tens of thousands times, which means that several tens of thousands of computers had been saved from becoming infected.
There is a theory that this functionality was built into WannaCry like a "circuit breaker" in case something goes wrong. Another theory that is adhered to by the researcher himself is that this is a way to complicate the analysis of the malware's behavior. In testing environments used in research, oftentimes it is purposely made that the positive reply comes from any domain, and, in this case, the Trojan would do nothing in the testing environment.
Regretfully, for new versions of the Trojan, it is enough for evildoers to change the domain name indicated as the "circuit breaker" to resume infection. Therefore, it is very likely that the first day of the WannaCry outbreak will not be the last.
Unfortunately, there is currently nothing that can be done to decrypt files that have been encrypted by WannaCry, although researchers are working on it. This means that the only method to fight against infection is to not get infected in the first place.
Here are several pieces of advice on how to prevent infection and minimize damage.
- If you have already a security solution installed on your system, then manually run a scan for critical areas, and if the solution detects a malware, then you should reboot your system.
- Install software updates. This case earnestly calls for installing the system security update MS17-010 for all Windows users, especially when Microsoft even released it for systems that are not officially supported anymore, such as Windows XP or Windows 2003.
- Create file backup copies on a regular basis and store the copies on storage devices that are not constantly connected to the computer. If there is a recent backup copy, then encryptor infection is not a catastrophe but a loss of several hours spent on system re-installation.
- Use a reliable anti-virus.